pull down to refresh

Coinos exploit, check your NWC
1121 sats \ 53 comments \ @dingding541 31 Jan security

From Coinos

Hi folks we've been experiencing some disruptions over the past couple days as we've been working to mitigate against an attacker who found and exploited a vulnerability in our system that allowed them to get password reset codes for accounts that didn't belong to them.
Using this exploit they were able to gain access to a number of accounts that they shouldn't have had access to and withdraw funds.
We've patched the issue and believe we've revoked the attacker's access to the compromised accounts by invalidating their JWT authentication tokens and NWC secrets.
We've instituted system-wide withdrawal limits as a precautionary measure while we work to fully restore and migrate the payment records of affected accounts.
If you are seeing a blank screen when you visit the Coinos site, you may need to visit https://coinos.io/logout or clear your browser cache. If you have Coinos installed as a PWA you may need to uninstall it and re-add it to your homescreen.
About 80 accounts had their passwords reset by the attacker but only a handful were actively stolen from. If your account was compromised you may be missing some recent transactions. We do have backups and will be writing scripts to find and restore those payment records over the coming days.
If you were using Coinos via NWC your NWC connection string secret may have changed in which case you will need to re-connect Coinos to your Nostr apps.
We'll be reverting unsolicited withdrawals and covering all losses ourselves to make all our users whole. Thankfully we caught the attack relatively quickly and managed to take corrective action before the attacker had time to fully drain our wallets.
Coinos is essentially a volunteer effort and one-man show on the tech front so please be patient as it's going to take me a few days to restore everything back to normal.
This incident has not shaken my resolve, only strengthened it.
Sincerely, Adam Soltys
write
preview
related posts
21 sats \ 3 replies \ @Bell_curve 31 Jan
@adam_coinos_io
If anyone has any additional questions
reply
9 sats \ 2 replies \ @Mumbo 31 Jan
You need to make your randomly generated user passwords more complex. I was waiting for this to happen.
@adam_coinos_io
reply
9 sats \ 1 reply \ @adam_coinos_io 31 Jan
They didn't crack passwords as far as I can tell, they just found a way to change them. But yes I'll consider making them stronger.
reply
109 sats \ 0 replies \ @Mumbo 31 Jan
Thanks for all your hard work on this great service!
reply
73 sats \ 2 replies \ @0xbitcoiner 31 Jan
What's the limit for withdrawals? You might have already thought about this, but it would be interesting to have multiple NWC secrets, managed by us.
/cc @adam_coinos_io
reply
21 sats \ 0 replies \ @Mumbo 31 Jan
I found it was about 4K sats a little while ago
reply
100 sats \ 0 replies \ @adam_coinos_io 31 Jan
I'm varying the limit depending on whether I'm actively monitoring the server or not. I've been whitelisting individual accounts if I see them trying to withdraw or if they reach out and ask.
Yes multiple NWC secrets is something I was going to work on this week actually before this issue came up -- hopefully will get onto it next week when the dust settles.
reply
10 sats \ 0 replies \ @realBitcoinDog 31 Jan
Grateful for heads-up! A reminder to withdraw
reply
15 sats \ 6 replies \ @TheBTCManual 31 Jan
LOL all this because you didn't want to pay 6000 sats for albyhub
reply
15 sats \ 3 replies \ @0xbitcoiner 31 Jan
Are you sure about 6k per month? /cc @Alby
reply
0 sats \ 0 replies \ @TheBTCManual 31 Jan
reply
0 sats \ 1 reply \ @dingding541 OP 31 Jan
đź‘€
reply
0 sats \ 0 replies \ @Mumbo 31 Jan
More like 10K sats a month at current price, if you pay yearly.
reply
0 sats \ 1 reply \ @kepford 31 Jan
Don't you want multiple devs and apps taking different approaches to see what works and what doesn't. Failures can be learned from. I don't like the idea of everyone using one company for something like this or even everyone using one approach. We are super early. Many of these apps will try and fail. Alby is very likely to fail as well. This take seems pretty narrow.
reply
41 sats \ 0 replies \ @TheBTCManual 31 Jan
Yeah all for optionality and for people to as always use at own risk.
if its small amounts I mean go nuts use wos, use coinos, use ecash mints, just don't moan if you lose access to those funds and overexposed yourself
Just a good reminder to trim your positions if your custodial inclined at that any on-chain fee is still cheaper than losing your balance
reply
36 sats \ 24 replies \ @DarthCoin 31 Jan
Darth was right again... I told you so.
reply
30 sats \ 21 replies \ @OT 31 Jan
You have coinos.io in you guides. What are you right about? SN going to CC?
reply
9 sats \ 20 replies \ @DarthCoin 31 Jan
I said several times here on SN: that more pressure on coinos it will create situations like this. SN (with p2p zaps) pushed a lot of users into coinos - TOTALLY WRONG! And that is not at all a self-custodial wallet, you are better using CCs.
Coinos should not be used for zaps. Coinos had a focus: to onboard easily new merchants in Canada and other regions. But people start abusing their services. And as always, when many people start abusing a nice service, it will end up in fuck it up.
You have coinos.io in you guides.
Yes I recommend it for new small merchants to start with it, not for people to abuse their services with stupid zaps.
More users attract more bad actors that will fuck up something nice.
reply
76 sats \ 1 reply \ @tomlaies 31 Jan
I said several times here on SN: that more pressure on coinos it will create situations like this.
So you did not predict this at all.
Darth was right again... I told you so.
"I told you so" is a funny thing to say when you didn't say so at all.
You didn't like people using this custodial service for completely unrelated reasons
reply
0 sats \ 0 replies \ @DarthCoin 31 Jan
go read all my warnings in the past
reply
19 sats \ 14 replies \ @supratic 31 Jan
it’s time then for another guide showcasing other options
reply
9 sats \ 13 replies \ @DarthCoin 31 Jan
No, is time for stackers to listen to Darth warnings. Use the damn CCs and nothing wrong will happen. Case closed.
reply
9 sats \ 12 replies \ @supratic 31 Jan
Using CCs it’s much easier and fun, I agree… skip many issues when attaching wallet. But at the same time, someone need to fund these CCs no? Or are they created from thin air?
view all 12 replies
0 sats \ 2 replies \ @ruthless_stacker 31 Jan
More users attract more bad actors that will fuck up something nice.
Not even related to stackers. If you read some news, you'll know that many services are being attacked globally. This is happening after Bitcoin's all-time high. Please write something that makes sense at least. Bad actors are not even here on Stacker News you don't know the outside world because you live very remotely.
reply
15 sats \ 1 reply \ @DarthCoin 31 Jan
I live on internet dumb ass
reply
0 sats \ 0 replies \ @ruthless_stacker 31 Jan
I don't argue with the ignorant dumb assess.
reply on another page
15 sats \ 0 replies \ @TNStacker 31 Jan
Custodial services are not the way.
reply
0 sats \ 0 replies \ @dingding541 OP 31 Jan
Yesđź‘Ś
reply
0 sats \ 0 replies \ @ealvar39 31 Jan
hey i appreciate this and everything you all are doing. i think custodial lightning has a place and you all are excellent at it. you make testing my lightning apps and lots of other experiments fun again. keep at dudes and don't let the haters get you down. you have fans too!
reply
0 sats \ 0 replies \ @LowK3y19 31 Jan
Good thing I only had 700 sats on my wallet
reply
0 sats \ 1 reply \ @398ja 31 Jan
Anyone else getting this?
reply
9 sats \ 0 replies \ @adam_coinos_io 31 Jan
Please email your IP address to support@coinos.io so we can unban you. It must've been blocked by mistake.
reply
0 sats \ 7 replies \ @anon 31 Jan
Is it even possible to withdraw atm? Im hearing friends deposited and now they are stuck with over 1 million sats in there... How come you letting people deposit but not withdraw? This is a fkin disaster...
reply
25 sats \ 1 reply \ @tomlaies 31 Jan
How is it a disaster when you use a free custodial service and uptime is only 99% instead of 100%
beggars can't be choosers
reply
0 sats \ 0 replies \ @dingding541 OP 31 Jan
Agree đź‘Ť
reply
9 sats \ 0 replies \ @adam_coinos_io 31 Jan
Withdrawals are limited especially for accounts that we deemed to be compromised but you can reach out to support@coinos.io and we can manually whitelist you for now. We'll be relaxing the withdrawal limits and eventually removing them as we gain confidence in our countermeasures.
reply
0 sats \ 0 replies \ @Mumbo 31 Jan
It sucks, but about 4K sats at a time can still be withdrawan
reply
0 sats \ 2 replies \ @Wumbo 31 Jan
I was able to do a withdraw since this post was posted.
reply
0 sats \ 1 reply \ @anon 31 Jan
yeh i was also able to pay 100 sats to post this shit but I keep getting a 1 milly rejected with message 'no funds available'... What a fkin disaster.
reply
0 sats \ 0 replies \ @Mumbo 31 Jan
Had to drop down to 4K sats for it to work.
reply
0 sats \ 0 replies \ @398ja 31 Jan
deleted by author